MSS Exceeded on ASA 8.0

Unanswered Question
Nov 5th, 2009
User Badges:

Hi guys,

I'm seeing something strange on my ASA log :

Dropping TCP packet from dmz:10.x.x.x/23 to inside:10.x.x.x/45762, reason: MSS exceeded, MSS 536, data 556

536 ?? Am i reading well ?

When i do sh run sysopt :

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt connection permit-vpn

no sysopt connection reclassify-vpn

Why are these packets being dropped ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jan.nielsen Thu, 11/05/2009 - 13:47
User Badges:
  • Gold, 750 points or more

It means your host is sending more data than it initally negotiated that it could. Usually a badly written application does this, can be allowed by doing a tcp map for that flow and allowing exceed mss.

mathieu.ploton Thu, 11/05/2009 - 13:57
User Badges:

It's curious, the packets dropped are from a telnet session beetween a cisco router inside and a cisco switch in dmz...

jan.nielsen Thu, 11/05/2009 - 16:39
User Badges:
  • Gold, 750 points or more

that is strange, have you tried it from a windows pc with telnet to that device in the dmz instead ?


This Discussion